CISO AccountabilityAdd bookmark
The Cyber Security Hub has showcased many thoughts on business enablement. As stated, the CISO has gone from The Department of No to the Department of Know, along the way transforming from a on prem perimeter mindset to a user/data infinite perimeter mindset.The global pandemic has enabled CISOs to fast forward cloud migration to cloud evolution, thus evolving the entirety of cyber security for the enterprise.
As the function and deliverables have changed dramatically in the past year, some things do remain constant for top cyber security executives. Among those aspects of consistency is taking accountability for the cyber security of the organization.
Joe Sullivan, Former CISO, Uber has been charged with obstruction of justice and misrepresentation of a felony by the FBI/DOJ due to allegedly deliberately covering-up the exposure of PII of half-a-million people and positioning the subsequent ransom paid as an ethical/white hat/bug bounty.
With that background, we asked the Cyber Security Hub community their thoughts on CISO accountability. To a person, all agreed that misrepresentation of a breach and misrepresentation of a ransom paid are inexcusable acts.
When asked about accountability, nearly every executive noted that CISO accountability is to the board. Some executives noted that baring negligence or malfeasance, accountability should be shared. And of course there are now new regulations- along with standing regulations for highly-regulated industries- in place which would preclude a multi-year cover-up from happening.
Most executives pointed to communication being the key. A CISO should be consistently communicating the acute risk to the enterprise posed by the current mindset, processes, policy and technology stack of the organization. When that information is communicated, accountability to the board is accomplished. From there, if a breach of impact- with an associated ransom- were to occur, there would be shared accountability.
Shared communication and accountability is then followed-up by a technology tour. Reviewing the stack at a high-level- ensuring that the Board realizes the evolution of risk mitigation along with the evolution of technology investment. And with a true technology evolution upon the industry, laying out the risk assumed when not making specific investments moving forward. The 2021 corporate enterprise infinite perimeter is completely different from the on-prem-focused perimeter of 2019. To not acknowledge that fact could be considered malfeasance in and of itself.
That does offer the opportunity- with deft negotiation, to continue to reinvent the systems of 2019 into the systems needed in 2021 and 2022. Defense in depth is a wonderful philosophy until faced with stacks of unnecessarily redundant tools and mountains of technical debt. Through that deft negotiation, discover what can be cut so that next generation technology can be added.
CISO accountability is about doing the right thing. But it’s also about gaining the actual budget needed to do the job and secure the enterprise in this brave new world.